The Windows 11 SMB server is now better protected against brute-force attacks with the release of Insider Preview Build 25206 to the Dev Channel, Microsoft announced. The Redmond team has enabled the SMB authentication rate limiter by default and tweaked some of its settings to make such attacks less effective, starting with this latest Windows 11 Insider dev build.
“With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication,” explained Ned Pyle, Principal Program Manager in the Microsoft Windows Server engineering group.
How to enable on Windows Server
SMB authentication rate limiter was first accessible in Windows Server, Windows Server Azure Edition, and Windows 11 Insider builds. To get the benefits of extra protection against brute-force attacks on systems running Windows Server, admins have to use the following PowerShell command manually (where n is equal to delay time between each failed NTLM auth attempt):
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n“This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects. It is designed to be another layer of defense in depth, especially for devices not joined to domains such as home users,” Pyle added.
Microsoft’s announcement follows several other SMB security improvements in recent years, including changing the 30-year-old SMBv1 file-sharing protocol (for some users) and making SMB over QUIC generally availability in Windows 11 and Windows Server 2022.
“We will harden, deprecate, or remove many legacy SMB and pre-SMB protocol behaviors over the next few major releases of operating systems in a security modernization campaign, similar to the removal of SMB1,” Pyle concluded.
